Visa Dumps Global Payments Following Credit Card Data Breach

Visa says Global Payments is no longer on the list of "compliant service providers" following a breach that may have compromised up to 1.5 million Visa and MasterCard accounts.

Visa has dropped Global Payments from its list of companies that are deemed compliant with security policies following a data breach that may have compromised as many as 1.5 million Visa and MasterCard accounts.

Visas decision to drop Global Payments from its registry of service providers that meet the credit card companys data security standards came April 1, two days after the breach became public. During a conference call April 2 to discuss the situation, Global Payments CEO Paul Garcia talked about Visas move, and reportedly said he expects his company to be returned to the list after it comes back into compliance with the Visa policies. However, Garcia didnt say when that may be.

Officials with Visa and MasterCard announced last week that data from credit card accounts was stolen following a data breach at a third-party processor, and stressed that their own servers had not been compromised. The credit card companies initially did not say which transaction processing company was attacked, but it soon leaked out that it was Global Payments.

In a statement released April 1, Global Payments executives said that the data breach affected fewer than 1.5 million accounts, and that the impact was contained to North America. The statement said the information stolen was Track 2 card data, which comprises information accessed by ATMs and credit card checkers, such as the cardholders account and encrypted PIN.

However, what data was possibly stolen was one of a number of discrepancies between what Visa and MasterCard reported, and what Global Payments said, according to Gartner analyst Avivah Litan. In a blog post April 2, she noted that the credit card companies said that Track 1 dataincluding cardholder names and account numbersas well as Track 2 information were accessed. Global Payments officials said in the statement that cardholder names, addresses and Social Security numbers were not obtained by the criminals.

In addition, Visa had said the data breach occurred between Jan. 21 and Feb. 25, while Global Payments officials said they detected and reported the breach in early March. Global payments also had not heard about any reports about fraud occurring on the stolen cards, Litan said.

Sounds like theres a lot more going on out there than the payment industry and law enforcement have nailed down and are prepared to talk about, she wrote.

Atlanta-based Global Payments is a Fortune 1000 company that saw earnings jump 18 percent, to more than $92 million, in the past fiscal quarter, on revenues of more than $533 million, a rise of 17 percent from the same period last year, according to financial numbers announced April 2.

Officials from both Visa and MasterCard said March 30 that they were notifying card issuers of the breach, and that card users would hear from their issuers if there were a problem. They reiterated that card users would not be responsible for fraudulent charges put on their cards.

In a blog post March 30, Gartners Litan wrote that criminals already had begun using the stolen credit card information.

Ive spoken with folks in the card business who are seeing signs of this breach mushroom, she wrote. Looks like the hackers have started using the stolen card data more recently.

For its part, Global Payments said the company is working with third parties, regulators and law enforcement officials to to assist in the efforts to minimize potential cardholder impact. It has engaged multiple information security and forensics firms to investigate and address this issue. CEO Garcia said in a statement that the company is making rapid progress toward bringing this issue to a close.